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editor’s letter 
WINTER 2011 EDITION 


Urgency of Endpoint Security 
and the Big-Data Talent Gap 


wo pieces in this issue provide timely insights into some major 
computing trends, that of “big data”—datasets beyond the 
ability of typical database software tools to store, capture, and 
analyze—and the security of endpoints, any device with an IP 
address and a port that is formally attached to the corporate network. 

Writer Sreedhar Kajeepeta, global VP and CTO of technology 
consulting for CSC’s global business solutions unit, provides a wakeup call in this issue for 
the security of endpoints. Although endpoints primarily refer to servers, desktops, laptops, 
smart phones, and embedded systems, today a newer set of endpoint concerns has emerged, 
related to virtualization, mobility, and social networking. 

In social networking, for instance, where server endpoints may host customer data, as 
opposed to just marketing collateral, on public clouds managed by sites such as Facebook 
or Twitter, companies need to be concerned about data security and regulatory compliance 
issues related to the vertical industries involved, Kajeepeta notes. 

Gartner Group has identified a market for Endpoint Protection Platforms and issued a 
Magic Quadrant report on the segment. Despite improvements and a variety of security 
products, malware is on the rise in general. 

So now the corporate security analysis challenges corporate IT professionals and system 
integrators to conduct a broader plan. The author suggests two recommended frameworks. 

Writer Umesh Jain, founder and president of Merging Elements, an advisory firm 
focused on customer management and IT strategy, clarifies the picture of big data as having 
three critical elements important to recognize. The first is the volume of data, being driven 
by the growth of social networking sites such as Facebook, and the growth in mobile 
phones and associated data. Today, big data is terabytes and even petabytes of information. 

The second is the variety of data sources generating data that results in big data today, 
including Web sources such as clickstreams, RFID data from supply-chain applications, 
unstructured text data from contact centers, geospatial data, and multimedia data. The 
third crucial driver is the velocity, or speed, at which this data is being generated, making it 
difficult to analyze the data and take action. 

Jain outlines good reasons this data needs to be analyzed, and he identifies a “talent 
gap” between the managerial skill sets needed to analyze big data and the available supply. 
He cites a McKinsey Global Institute study saying the U.S. faces a shortage of 140,000 to 
190,000 managers with deep analytical skills, and 1.5 million managers skilled in analysis to 
be able to make decisions on the findings. This is a challenge and an opportunity. 

We hope these insights will help IT professionals in our audience to do a better 
job. Please let me know what you think of the two pieces and what other topics would 
interest you. 


Regards, 


John P. Desmond 
Editor, Software Magazine 
jdesmond@softwaremag.com 
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THE BUSINESS OF IT 


On the Edge 
of a Breakthrough 


y and large, companies have been forced to react to recent economic pres- 


sures by slashing budgets, reducing staff, and postponing needed IT infra- 


structure upgrades. Frequently, these decisions were based purely on the need 


to cut costs, with little consideration of how such actions would impact business 


and revenue growth goals. 

During times of economic un- 
certainty, needed IT infrastructure 
upgrades and _ transformations are 
regularly postponed. In spite of this 
reprioritization, however, businesses 
frequently fail to determine how to 
proactively direct resources toward 
maximizing the value of their existing 
IT systems by choosing simpler, less 
expensive options designed to improve 
productivity and deliver a faster time to 
market and speed to value. 

This can be accomplished by redi- 
recting IT investments from the “core” 
infrastructure and applications, such as 
enterprise resource planning (ERP) so- 
lutions, to enterprise applications and 
solutions with technologies that deliver 
value at the “edge.” 

“Edge” IT applications include por- 
tals, e-commerce platforms, mobile 
applications, and distributed business 
intelligence (BI) platforms that enable 
real-time (or near real-time) interac- 
tion with employees, customers, sup- 
pliers, and other stakeholders. By de- 
sign, edge IT applications improve the 
customer and employee experience, 
reduce costs, and maximize efficiencies 
at investment levels much lower than 
what would be required for core enter- 
prise system customization. 

Focusing on the edge directs in- 


www.softwaremag.com 


MAGAZINE 


vestments toward solutions that cre- 
ate customer and shareholder value in 
a shorter timeframe; this strategy also 
prepares businesses to address future 
economic downturns. To determine 
how to maximize IT investments to en- 
sure that consistent, incremental value 
is delivered to shareholders, stakehold- 
ers, and employees even in the most 
challenging economic circumstances, 
executives need to consider how the in- 
dustry value chain, economic cycles, and 
the choices in IT application architec- 
tures impact their organizations. 


The Industry Value Chain 

Throughout history, economies have 
changed along with theories about val- 
ue chains—the combination of partici- 
pants (both suppliers and customers) 
that come together to create, purchase, 
and sell materials and finished goods 
to the customer. Once upon a time, 
businesses like Ford Motor Company 
contained an entire value chain within 


the organization—Ford owned the 
foundry that manufactured the steel, 
the factories that built the cars, and the 
dealerships that sold them. 

When increased competition from 
international steel companies and for- 
eign car manufacturers drove companies 
like Ford and General Motors to special- 
ize in order to drive efficiencies and im- 
prove the quality of their vehicles, value 
chains were forced to evolve. The value 
chain within almost every industry was 
affected in a similar fashion, as compo- 
nent manufacturing became outsourced 
to specialized organizations. 

In both good and bad economies, 
companies look for ways to reduce the 
length of time it takes for a product to 
reach the customer by collapsing the 
value chain. In the past, enterprises 
would spend billions of dollars on core 
ERP and electronic data interchange 
(EDI) systems, the soundest invest- 
ment possible given the alternatives. 

This is no longer the case—orga- 


John Humphrey 1s a co-founder of Pariveda 
Solutions and currently serves as its chairman 


of the board. Steven Rogers is a vice presi- 


dent at Pariveda Solutions and has extensive 
experience with Web technologies and service- 


oriented architectures. 
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nizations now have tremendously rich 
enabling technologies that can be used 
to improve the experience and cre- 
ate additional value for stakeholders. 
Changing the IT investment approach 
to edge solutions supports rapid time 
to market and reduces the cost of de- 
velopment, while still delivering on 
business requirements. 


The Economic Cycle 

A common error that organizations 
make during an economic growth 
phase is to direct the majority of avail- 
able funding for capital IT projects to- 
ward core IT infrastructure and ERP. 
However, because core IT systems re- 
quire tremendous capital investment 
and time to implement, directing a 
majority of the budget toward these 
solutions takes the focus away from 
more nimble, lower-cost alternatives. 
Organizations that thrived during the 
downturn captured as much value as 
possible out of the systems they al- 
ready owned. 

Investing in capital projects that 
yield incremental value for stakehold- 
ers frequently provides organizations 
with a competitive advantage. Orga- 
nizations benefit from a greater num- 
ber of solutions that can be delivered 
during all parts of the economic cycle; 
they also develop a more cost-effective 
enterprise architecture that can con- 
tinue to adapt during the downturns. 
In the process, dynamic IT cultures are 
created and resources directed to seek 
out opportunities to quickly deliver so- 
lutions to market and rapidly react to 
changing business demands. 


The Core vs. the Edge 

If the core is about transactions, the 
edge is where the biggest opportunity 
exists to improve the customer and 
employee experience, increase auto- 
mation and accuracy, and collapse the 
latencies in the value chain. Edge ap- 
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Value Is Created at “the Edge” 
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Figure 1 


plications move transactions closer to 
the “moment of value”—the expedited 
exchange of goods, services, and/or 
information among value-chain par- 
ticipants (employees, suppliers, and 
customers). 

Investing at the edge enables effi- 
ciencies that promote better decisions 
(BI), deploy solutions to employees, 
customers, and suppliers (e-commerce, 
portals), drive those efficiencies deeper 
into the value chain (mobility), and 
deploy data and integration through 
various Web services across the value 
chain. (See Fig. 1.) Edge applications 
are also more self-contained and allow 
organizations to rapidly deploy and/or 
adjust as business conditions change. 

Increased investments in core ap- 
plications result in intensive and expen- 
sive labor demands; projects can last for 
years and cost tens of millions of dol- 
lars. Conversely, edge applications can 


Source: Pariveda Solutions 


be delivered incrementally and create 
new value in a very short time period. 

When economic tides turn, there is 
little time to react. The best-prepared 
organizations will have the ability to 
quickly respond and deliver new solu- 
tions to meet the needs of their cus- 
tomers, partners, and employees. As 
we enter the beginning stages of an 
economic recovery, companies should 
explore how to direct capital invest- 
ments to the edge. 

The delivered solutions will drive 
latency from the value chain and allow 
the kinds of efficiencies that will pro- 
mote reductions in labor costs in the 
future. Maximizing the edge also ad- 
dresses the moment of value and miti- 
gates the risks associated with attempt- 
ing to deliver all business needs with 
core IT applications. Speed, value, and 
flexibility—each are addressed through 
the edge. SW 


www.softwaremag.com 


 CORTWAR Is Previous Page | Contents | Zoomin | Zoom out | Front Cover | Search Issue | Next Page a l 


Re-architect your legacy applications, 
Re-engineer your business. 


MAKE Technologies TLM® Enterprise Software Suite enables customers to 
migrate business critical legacy systems to modern agile platforms, delivering the 
highest quality outcomes across the entire modernization journey. The end result 
enables strategic growth, reduces operational costs and restores business agility. 
The 5 TLM® products assist and automate the re-architecture of legacy applica- 
tions, resulting in higher quality outcomes at lower risk than competing approaches. 


Contact us at www.maketechnologies.com or 1.866.678.6253 to learn how we 


can help you. 


REPOSITORY 


DY 


DESIGNER 


G 


CODE 
GENERATOR 


DATA 
WORKBENCH 


ANALYZER 
604.738.4999 
. 604.738.4979 
TF 1-866-678-6253 
E info@maketechnologies.com 


W maketechnologies.com 


d.« 


make 


technologies. 


 CORTWAR) ri Previous Page | Contents | Zoomin | Zoom out | Front Cover | Search Issue | Next Page mene reel 


SOFTWARE | 


The 2011 Software 500 CD 


www.softwaremag.com/SW500CD 


SOFTWARE 


Inside you'll find: 


Software Magazine ’s ¢ More than 5,000 executive names from the 2011 Software 500 
Research Team Delivers companies (Excel format) 


¢ More than 100 companies new to the list this year 
to you the 2941 * The 2011 Software 500 (Excel format) 
¢ Data cuts from the 2011 Software 500 (Excel format) 
padhbeath ¢ And the 2011 Software 500 editorial coverage (PDF format) 


¢ Additional editorial content on mergers and acquisitions from 
2009 to 2010, the ranking year 


| SOFTWARE | 


Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page 


APPLICATION DEVELOPMENT 


Estimating the 


fa Duration of 
=Project Tasks 


IS ESTIMATING THE DURATION OF A PROJECT ALWAYS A MATTER OF GUESSWORK? 


The answer to that should be no. Yet it frequently seems that it is guesswork, especially 


if we didn’t learn much from previous projects. Although it often seems like every time 
is the first time, project estimation does not have to be a novel experience for the par- 


ties involved. Historical records can help to reduce the risk to the estimating process— 


SOFTWARE. 


if you have recorded and subsequently review this information. 


Ultimately, estimation is and will always be an educated 
guess, although prior experience does go some way toward 
mitigating risk. (Even so, it’s hard to understand how execu- 
tives who have no idea of what it takes to achieve project 
results are able to tell you that you’re budgeting for too 
much time.) Invariably, as a team marches through a project, 
they find that the accuracy (or lack thereof) of their estimates 
becomes clearer and clearer, in the same way that a GPS’s 
arrival estimate becomes more accurate as we approach the 
target location. This article will guide you through how to 
scope a project and use some techniques to maintain control 
over the schedule estimates. 


Steps in Estimating 
Some information is essential to creating a meaningful esti- 
mate. For example: 

e A statement of scope or a scope document that defines 
what the project is and is not 

e A task list in the form of a work breakdown structure (WBS) 

¢ Task details defined (i.e., not simply a list of task names) 

e Duration estimations provided by the team 

e Task dependencies (schedule and risks) clarified 

e Schedule risks and task variations identified via Critical 
Path or other methodology 

e Planned schedule risk mitigation 


Insufficient time spent on schedule development is a key risk to project 


success; you can eliminate the target-date tango by building a schedule 


defense that manages the risks 


By Kim Pries AND Jon Quictey 
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Example of PERT Using an Excel Spreadsheet 


Project Time Estimate l 


time estimate = ((Optimistic+(4"most likely)+pessimistic)/) 


Doc Reg Project Product 
P; 1_of_ 
Number. Responsible Propated by; age__!_ heme 


Responsible: 


Key Date Est Reg Date (Orig) 


(Rev) 


Core Team 


The division by 6 suggests that PERT uses the assumption of a normal distribution (Six Sigma 
covers 99.98 percent of the possible variation), which may not be warranted by the data. 


Figure 1 


All of the above items should be in at least preliminary form 
before attempting an estimate of a project schedule. 


Defining Project Scope 

The project scope actually defines the constraints on the 
project. Without this definition (agreed upon by customers 
both internal and external) of project boundaries and expec- 
tations, the team has no way to re-estimate time durations 
or assess risks if the scope changes later. (Note that “inter- 
nal customers” are essentially players in projects that involve 
deliveries from one organizational function to another. It 
is necessary for such players to understand and agree upon 
what constitutes “good,” useable input from their and other 
functions.) The very heart of scope is the WBS, which can be 
formatted in any of several ways. 

Essentially, the scope definition allows us to quantify 
project success by providing the boundaries within which 
the team will work. 

WBSs are often hierarchically broken down as cost cen- 
ters (subsystems that cost money and for which we have ac- 
counting), particularly if the organization is following the 
dicta of MIL-STD-881C, the U.S. Department of Defense 
(DOD) standard that defines WBS format and content. In 
the context of this standard, cost center or task names can 
originate from organizational processes, known and proven 
best practices, expert and experienced opinions, or major 
deliverables. 

In addition to breaking down hierarchically, this activity 
breaks down deliverables into the steps it takes to produce 
those deliverables (sub-deliverables). This smaller task/de- 
liverable is easier to estimate than the larger tasks. The scope 
is clearer and it fits into the recommended 40- to 80-hour 
work package, allowing more refined tracking of progress 
when it comes time to monitor and control the project. 

Just as the overall project has a scope, each task objec- 
tive will have a task scope, defined as that which constitutes 
successful achievement of that task. By what measures will 
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Impact of variation on 
range of possibilities 


Source: Kim Pries and Jon Quigley 


you determine completion of that task? The DOD expects 
these individual measures to be defined in a WBS dictionary, 
which typically provides a textual definition of each WBS 
line item. This also helps to delineate conditions for success 
in each task. 


Duration Estimation a la PERT 

Program Evaluation and Review Technique (PERT) is an 
estimating method that originated in the 1950s during the 
USS Nautilus nuclear submarine project. The PERT tech- 
nique attempts to provide a quick approach to assessing the 
schedule with a pseudo-normal distribution of expectations. 
PERT has a terminology and concepts all its own: 

¢ Optimistic = O 

¢ Most likely = 

e Pessimistic = P 

e Task variance 

¢ Normal distribution 

e Task duration as a continuum of possibilities (probability) 

e PERT equation = [(0+4x ML+P) / 6]. 

The result of the PERT equation is a weighted average 
that attempts to represent the joining of the three variet- 
ies of estimate—i.e., optimistic, most likely, and pessimistic. 
An optimistic schedule occurs earlier than the most likely 
schedule, which occurs earlier than the pessimistic schedule 
or milestone. 

It is possible to downplay the most likely estimate by 
reducing the multiplier for any given component—for ex- 
ample, software development duration is often “optimis- 
tic” among all team members. Additionally, the approach 
assumes that all components of the scheduling model are 
sensible estimates themselves. (See Fig. 1.) 


Task Variance 

The task variance, the root of which is the standard deviation 
(normal distribution), is the delta between pessimistic and 
optimistic durations in its roughest form (statisticians may 
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Source: Kim Pries and Jon Quigley 


observe that this value is actually the range, a coarse mea- 
sure of dispersion). The task variance, being derived from 
the previous duration estimates of “optimistic” and “pessi- 
mistic,” provides an envelope of possible durations for the 
task to be completed. The larger the variance (or envelope), 
the higher the degree of uncertainty assumed by those doing 
the estimating. 

It is incumbent upon a project manager to pay attention 
to this variation and the specific tasks affected—especially if 
these tasks turn out to be on the critical path. The critical 
path is the longest, contiguous, slackless path in the schedule 
and therefore provides the estimate of the shortest possible 
time to completion. The project cannot be delivered before 
the date this path indicates. Therefore, duration extension of 
any task on this path will result in a later delivery date. 


Task Dependencies 

Task dependencies are another part of this stew. Task depen- 
dencies are found in sequences of tasks in which one task 
cannot start until another task is complete. For example, a 
facetious set of dependencies would follow the sequence egg 
> chick > hen > fryer. If any task other than the project kick- 
off (first task) or the project closing meeting (last task) has 
no dependencies, then that task can presumably be executed 
immediately, if the resources to do so are available. 

Large variation in the task estimate portends significant 
impacts on the schedule analogous to “tolerance stack-up” 
in the mechanical world (another form of variation). Each 
one of these variances is a schedule risk. If the project has 
been properly baselined in the project management soft- 
ware, the variance can be measured. 

In cases in which the team experiences large varia- 
tion on dependent tasks on the critical path, the proj- 
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ect will see a “ripple effect” on schedule risk and an in- 
crease in overall project variance. If this ripple occurs 
on the critical path, the risk to the estimated schedule 
is immediate and recovery is potentially unattainable. 


Network Diagrams and GANTT Charts 

We use network diagrams to understand dependencies and 
schedule impacts. The network diagram is a representation 
of dependencies—in effect, a directed graph that considers 
all tasks to be nodes. Commonly, the nodes in the graph will 
show a variety of information, such as resources, start and 
finish dates, and budgetary information. The collection of 
task finish dates allow for a forecast of the probable comple- 
tion date of the project. 

Gantt charts are the best-known graphical representation 
of projects, but this approach has some significant limita- 
tions. These charts are, for example, not good at showing 
dependency impacts, and they don’t offer the mathematical 
resources needed to graph theoretical calculations. 


Estimation and Probability 

Any time an upstream manager requests single, “hard” 
dates—which imply 100 percent likelihood—he or she is 
requesting an absurdity. A rational response would be to of- 
fer a span of dates. This could be done using PERT, with 
the estimated mean plus standard deviations indicating as- 
sumption of “normal” distribution. A Rayleigh distribution 
would also work here. 

A Rayleigh distribution is a Weibull distribution with a 
shape factor whose value is the integer 2. (See Fig. 2.) The 
Rayleigh mean and variance is not the same as that for the 
normal distribution, but rather: 


way ta (145) = y + 0.886237, where 


y = position or threshold 


7 = scale factor 


o =? ! 7 [rosy] =17 (1- 0.7854) = 770.2146 


where the position can be negative. The scale is the point at 
which we have 63.2 percent completion of the specific task. 

Difficulties with probability are multitudinous, and in- 
clude, for example: 

e Lack of project history 

e Failure to baseline previous projects 

e Failure to scrutinize previous projects 

e Tendency to be either too optimistic or too pessimistic 

e Assumption of distribution can be totally wrong (espe- 
cially for tasks with no history) 

¢ Incorrect dependencies (joint probabilities) 

e Existence of a critical path 

¢ Organization’s demand for “a” specific date (See Fig. 3.) 
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Each of these issues can be overcome, and some of them 
may not even be that important, if team estimates are solid. 
But in some cases, errors are unavoidable. Some of the errors 
we have seen are: 

e Insufficient up-front time generating estimates (point 
source) 

¢ Underestimates of test time 

e Estimates provided by personnel with no experience or 
responsibility for the task 

¢ Underestimates of the impact of lateness on the chain 
of dependencies 

¢ Overestimates of the benefit of “crashing” the sched- 
ule—which usually means overtime and the possible addi- 
tion of resources, especially people 

¢ Underestimates of the human cost of overtime. 


Expanding the Interval 

Expanding the confidence interval is another action that— 
up to a point—increases the probability of a meaningful esti- 
mate. As we expand the interval in which our estimate falls, 
we increase the confidence in the result—in other words, 
80 percent confidence has a narrower interval than 90 per- 
cent confidence. The issue can become meaningless—for ex- 
ample: Beginning of universe > end of time = 100 percent 
confidence. 

Project estimates have a cone or triangle of uncertainty. 
(See Fig. 4.) The corollary to that cone of uncertainty is 
the impact on the target date estimate. An additional factor 
is measurement uncertainty, which is equal to the estimate 
variance. The following equation represents one model for 
estimate uncertainty: 


2 =o 


assumptions 


2 2 2 2 2 
+ O scope + O environment + O procelure + Orask +o 


0, 


estimate 
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Late delivery 
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Inadequate 
resources 


“Acts of God” No baseline 
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Environment Machines 


Figure 3 
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Source: Kim Pries and Jon Quigley 


Managing Slack, Risk, and Deliverables 

Managing the slack, or ostensibly idle time, may be perhaps 
the single most important factor in project success. When 
there is no slack, the team may move into the “death march” 
phase, which is inevitably followed by project doom. In- 
stead, manage the slack through control mechanisms (feed- 
back) and monitoring. This will help the team to identify key 
task (critical path) metrics and then track them to predict 
task conclusion, at the same time sounding the alarm when 
slack time vanishes. 

Without some kind of risk mitigation, estimates are likely 
to fail. We suggest that managers perform a project failure 
mode and effects analysis, activate contingency plans to keep 
on track, and above all, pay attention to the details. 

The project manager might consider managing deliver- 
ables rather than directly managing the tasks. After all, what 
customers receive is a deliverable they can see or hold or use. 
Delivering a product is only part of the story; documenta- 
tion is also a deliverable, and so is support work. We intro- 
duce errors when we don’t account for these items; hence it 
is best to develop the schedule cross-functionally. 


Re-estimation 

If all else fails, we can re-estimate the course of the project. 
Re-estimation should be routine for any change in scope 
(schedule, budget, feature set/quality) and “noise” (floods, 
power outages, hurricanes; strikes; losing key players). 

Note that few projects scale linearly; that is, increasing 
scope increases complexity. We believe re-estimation should 
be linear only if the scope increase is very small. Without his- 
tory from other projects, nonlinear adjustments are difficult. 


What About Reviews? 
Reviews are a primary feedback mechanism. For reviews to 
really work, they must occur frequently (no more than 
30 days apart). The client should be updated after each 
review, and wherever possible, surprises should be elimi- 
nated (that way, ideally, the project will go no more than 
30 days out of whack). 
We can also activate a set of prophylactic schedule re- 
sponses: 
e Alter task sequence /dependencies where possible 
¢ Control the method of achieving specific tasks 
(i.e., wherever possible, eliminate risks that cause high 
variation) 

e Account for task variation in the project delivery 
schedule 

¢ Use a capacity resource planning approach (i.e., crit- 
ical chain)—an iterative approach to resource planning 
that always provides a good, but may never converge to 
an ideal, solution. 

Do not build schedule crashes into the estimates. 
Crashing the schedule attempts to decrease the sched- 
15 
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ule to deliver the project by “throwing” human resources at 
the project tasks. It is analogous to the idea that nine women 
can produce a baby from scratch in one month. In order for 
a crash to work, the team will need to maintain some slack 
and have a convenient management reserve (more capacity 
in terms of dollars and human resource availability). 

Once a project is completely on the critical path, the tar- 
get date is unachievable. Crashing may sound great to an 
upstream manager, but crashing often means the project al- 
ready has exhausted its contingencies and the schedule itself 
is now out of control. 


Conclusion 
Can the target ever be met? Yes—look at the Empire State 
Building. It was completed 1.5 months ahead of schedule 


Cone of Uncertainty and Impact 
on Target Date Estimate 


Kickoff 


Projection 


completion 


Uncertainty dimishes as we approach the conclusion, 
just like the time estimate of a GPS gets better as we get closer 


Kickoff 


Figure 4 


Because uncertainty is high at start of project, 
variance around original estimate is large 


Buyers Guide: Project Cost Management 


Software & Services 


Company Focus Areas Products Services 
A-1 Enterprise ACLC, BC,COL, ONL, PRP, PRT, TET, WBS = x x 
Accord Software & Systems COL, PRP, PRT, RSC, WBS. X 

CA BC, COL, PRP, PRT, RSC, TET x x 
Celoxis COL, ONL, PRP, PRT, RSC, TET x 

Charismatek Software Metrics EST, PRP, RSC X X 
Cost Xpert EST, PRP X X 
EcoSys BC, PRP, RSC X X 
Eigasoft BC, WBS X 

Galorath EST, PRP, WBS x Xx 
IBM Rational ACLC, COL, PRP, PRT, RSC x Xx 
Metrics Software COL, EST, PRP, PRT, RSC, TET, WBS x 

Microsoft BC, COL, PRP, PRT, RSC, TET x Xx 
Oracle ACLC, BC, COL, PRP, PRT, RSC, TET, WBS = x X 
PRICE Systems EST X X 
PrimaSoft BC, PRP, PRT, TET x 

QsM ACLC, EST, PRP, PRT x X 
RASS Tools EST, PRP, RSC Xi 

Scoutwest PRP, RSC, TET x 

Software Productivity Research © EST, WBS x 
Tassc Ltd. EST, PRP, PRT, RSC, TET x X 
Tecolate Research ACLC, EST, PRP, PRT, TET Xx x 
Tenrox PRP, RSC, TET X X 
VIP Quality Software COL, PRP, RSC, TET X 

Key to Focus Areas 
ACLC Automatic Calculations ONL Online Software TET — Time/Expense Tracking 


BC Budget Control PRP Project Planning 
COL Collaboration PRT Project Tracking 
EST Estimation RSC Resource 
Management 
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WBS Work Breakdown Structure 


Projection 
conclusion 


Source: Kim Pries and Jon Quigley 


at less than 90 percent of the budget, 
with no project software or electronic 
spreadsheets! 

We say that the best schedule is one 
that is accurate enough that it doesn’t 
have to be changed. Barring that, con- 
tingency plans are the order of the 
day, and they must be exhaustive—in 
fact, it is not unreasonable to have 
multiple or layered contingency plans. 
Additionally, constant monitoring of 
project deliverables and schedule de- 
pendencies lets the project manager 
know the state of his or her project and 
when the contingency plans should be 
evoked (or the stakeholders notified). 

We suggest that project managers 
express targets in probabilistic terms 
and that neither they nor their man- 
agers expect the “old school try” will 
save a fiasco. In short, comprehensive 
preparation is the surest way to moder- 
ate the effects of accidents, stupid deci- 
sions, and irrational expectations. 


Kim Pries, APICS CPIM, and Jon 
Quigley, PMP CTFL, are principals 
with Value Transformation, LLC, a 
product development training and cost 
improvement or ganization. They have 
written Project Management of Com- 
plex and Embedded Systems as well as 
Scrum Project Management and Test- 
ing Complex and Embedded Systems, 
all available at Amazon. They are work- 
ing on two more books. Contact them at 
him. pries@valuetransform.com and jon. 
quigley@valuetransform.com. S 
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Your Business Has 


No Time for Downtime 
Webmetrics Can Help 


Your website is crucial to your success, so making sure it’s performing 
for your customers is not negotiable. Neustar® Webmetrics’ helps you 
protect your brand, ensure a competitive advantage and increase your 
revenues with innovative performance monitoring and testing solutions. 


=> Understand your site’s performance from an end user perspective 


=> Monitor web applications including e-commerce, SaaS, Cloud and media 
a : Free Performance 
=> Track performance from all over the world, with a real browser : ; a 
=™ Integrate with existing solutions utilizing our open APIs M on Ito rin & Tr la l 
=> Diagnose performance bottlenecks and speed time-to-fix with 


historical analysis and trending data Visit ; 
webmetrics.com 
to get started today 


Neustar® Webmetrics® 


World Class Performance Monitoring and Load Testing Services 
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Discovering 


the Big Deal 
About Big Data 


THE DEFINITION OF “BIG DATA” VARIES DEPENDING ON 
WHOM YOU ASK. At a very simplistic level, “big data” refers to data- 
sets whose size is beyond the ability of typical database software tools to 


capture, store, manage, and analyze.1 This definition, though, is rather 
subjective, focusing primarily on the volume of data. Volume, of course, 
is important, but consider that having a lot of data about just one thing 
may not be that big of a deal, from a value-creation viewpoint. Moreover, 
what’s “big” today will not be “big” tomorrow—making it tough for z 


people to grasp what we really mean when we use the term. 
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The definition of “big data” varies depend- 
ing on whom you ask. At a very simplistic level, 
“big data” refers to datasets whose size is be- 
yond the ability of typical database software 
tools to capture, store, manage, and analyze.! 
This definition, though, is rather subjective, 
focusing primarily on the volume of data. Vol- 
ume, of course, is important, but consider that 
having a lot of data about just one thing may 


not be that big of a deal, from a value-creation 
viewpoint. Moreover, what’s “big” today will 
not be “big” tomorrow—making it tough for 
people to grasp what we really mean when we 
use the term. 

I personally prefer an alternative definition of 
big data that combines three attributes: volume, 
variety and velocity—commonly referred to as 
the “three Vs.”? (See Fig. 1.) 


Today, with a significant decrease in cost of storage and processing— 
along with a slew of new tools for capturing, storing, organizing, and 
analyzing data—big data has become big opportunity 


18 Software Magazine 


MAGAZINE 


By Umes JAIN 


www.softwaremag.com 


Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page 


bytes a month. 

In the 20 years from 1990 to 2010, worldwide mo- 
bile phone subscriptions grew from 12.4 million to more 
than 4.6 billion, penetrating the developing economies 
and reaching the bottom of the economic pyramid. 

It is clear that data volume is the primary attribute of 
big data. With the growth of volume in social networking 
sites such as Facebook and the growth in mobile phone 
and associated data usage, managing the tremendous 
growth in data volumes has to be a critical part of any 
big-data strategy. Just a few years back, big data would 
have been defined as gigabytes of information. Today, we 
have moved that to terabytes or even petabytes of infor- 
mation to define big data. Currently, most users define 
big data as anything above a few terabytes. 


AONAOITTIALNI SSANISNG |m 


Variety 

The second attribute of big data is the variety of data 
sources involved. Historically, companies had just a 
few operational and transactional systems from which 
data was aggregated. Today, we have many more 
sources and formats, from clickstreams and social me- 
dia to RFID from supply-chain applications. We get 
geospatial and multimedia data, unstructured text data 
from contact centers, and context-aware data from 
mobile sources. The net effect of this wide variety is 
that it has made data aggregation and the analysis of 
unstructured data more complex, while also fueling 
the growth in data volume. 


Velocity 

The speed at which all this data is being generated—its 
velocity—is yet another attribute that helps in defining 
what we mean by “big data.” Another way to think of 
velocity is in terms of the frequency of data generation 
and delivery. The collection of real-time and near real- 


time data is nothing new: Companies such as Amazon 


The Three Vs of Big Data 


¢ Large volume of data 
terabytes or petabytes 
© Size, records, transactions, or tables 


Volume 
In 2011, the amount of information created and replicated 
will surpass 1.8 zettabytes (1.8 trillion gigabytes )—growing 
by a factor of 9 in just five years.’ 

Thirty billion pieces of content (photos, Weblinks, notes, 
and so on) is shared on Facebook every month. * Frequency of updates 

As of September 2011, the Library of Congress had rt 
collected about 254 terabytes of data (1 terabyte = 1,024 
gigabytes). The archives grow at a rate of about 5 tera- Figure 1 Source: Umesh Jain 


¢ Number and type 
of data sources 

© Structured 

¢ Unstructured 


VARIETY 
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and others have been collecting clickstream data for years 
to make purchase recommendations to Web visitors. How- 
ever, the velocity at which it is generated makes this data 
difficult to analyze—and possibly respond to—in real time. 


With the growth of volume in social 
networking sites such as Facebook and 
the growth in mobile phone and associat- 
ed data usage, managing the tremendous 
growth in data volumes has to be a 
critical part of any big-data strategy. 


The Importance of Big Data 
Organizations that use data-driven decision making exhibit a 
5 percent to 6 percent higher output and productivity than 
would be expected, given their other 
investments and usage of information 
technology.* 

According to a recent estimate by 
McKinsey Global Institute, if U.S. 
healthcare could use big data creative- 
ly and effectively to drive efficiency 
and quality, more than $300 billion 


Company 


Accenture 


ment their customers to improve real-time personalization. 
This personalization allows organizations to improve exist- 
ing products and services, identify new opportunities, and 
invent entirely new business models, based on the ongoing 
analysis of data around changing customer needs and wants. 

Large statistical samples provide better results. In general, 
the larger the sample size, the more accurate the results of 
statistical analysis. Hence, the use of big data significantly 
increases the confidence in statistical analysis used to make 
data-driven decisions. 

Technology costs and capabilities have reached an accept- 
able level. Most of the analysis being done on big data is 
not new; it’s just more accessible now to a broader set of 
companies due to significant improvements in the cost, 
capabilities, and simplicity of technologies that support 
this effort. The number of vendor choices and technolo- 
gy options for big-data analysis has grown astronomically 


Buyers Guide: Big-Data Management 
and Analysis Tools & Services 


Focus Areas Products Services 


IMD, PA X 


could be saved every year, and national 
healthcare expenditures could be re- 
duced by about 8 percent.® 

With the amount of research and 
analysis seen lately backing big-data 
analysis, it is not surprising that this 
area of business intelligence is getting 
so much attention. 

Analyzing big data can improve or- 
ganizational performance. Using data 
to understand organizational perfor- 
mance trends, drivers, and variability 
in performance makes it possible to 
quickly identify root causes of per- 
formance issues and thus drive higher 
performance. An example of this is in 
contact centers, where accessing and 
analyzing a bigger dataset at the in- 
dividual call and agent level enables 
organizations to reduce call volumes, 
improve agent performance, and 
drive better productivity, while im- 


Apache DP, HDP, MR 


x< 


Greenplum, a division of EMC AGA, HDP, MPP, SUD 


x< 


Impetus Technologies HDP, MPP, NSQL 


x< 


Informatica DP, HDP 


x< 
x< 


Microsoft HDP, MPP, MR, SUD 


x< 
x< 


ParAccel AGA, COB, HDP, MPP 


x< 


x< 
x< 


SAND Technology DC, IDA, PA, SUD 


Sybase, an SAP company AGA, COB, DC, IMD, PA 


x< 
~x< 


x< 
x< 


Teradata MPP, MR 


proving customer experience. Key to Focus Areas DVI Data Visualization MR MapReduce 
Big data can customize the brand, AGA Agile Analytics HDP Hadoop PA Predictive Analytics 
. . - CLB  Cloud-Based IDA __In-Database Analytics RTD Real-Time Dashboards 
4 voduct, and mere experience. AS Am COB  Column-Based IMD  In-Memory Database SUD — Structured and 
azon does with its recommendation DC Data Compression MPP Massively Parallel Unstructured Data 
engine, organizations can use big-data DP __ Distributed Processing Processing Bold = Sponsor 


analysis to segment and micro-seg- 
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This report presents a global view of Gartner’s opinion of the main 
software vendors that should be considered by organizations seeking 
to use business intelligence (Bl) platforms to develop BI applications. 


According to Gartner, “The demand side of the 

BI platform market in 2010 was defined by an 
intensified struggle between business users’ need 
for ease of use and flexibility on the one hand, and 
IT’s need for standards and control on the other. 
With ‘ease of use’ now surpassing ‘functionality’ for 
the first time as the dominant BI platform buying 
criterion in research conducted for this report, 
vocal, demanding and influential business users are 
increasingly driving BI purchasing decisions, most 
often choosing easier to use data discovery tools 
over traditional BI platforms — with or without 
IT’s consent.” 


“Data discovery platform momentum accentuates 


the need for a portfolio approach,” the report 
continues. “For the past two years, our research in 


qlikview.com 


the BI platform market has highlighted a growing 
bifurcation in terms of buying centers. Specifically, 
we noted that IT, on the one hand, favors stack 
centricity, whereas business users and departmental 
buyers, on the other, often with an enterprise 

BI standard in place, are increasingly turning to 
innovative, data discovery tool vendors. These data 
discovery alternatives to traditional BI platforms 
offer highly interactive and graphical user interfaces 
built on in-memory architectures to address business 
users’ unmet ease-of-use and rapid deployment needs. 
What began as a market buying trend in 2010 has 
become a fully fledged fragmentation of the market 
into two distinct segments.” 


To download a complimentary copy of the report, 


visit QlikView.com. 
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over the last few years. Today, the market is full of vendors 
offering tools for advanced data visualization, predictive 
analytics, real-time dashboards, no-SQL DBMS, Hadoop, 
MapReduce, in-memory database, and visual discovery, 
among others. (See sidebar.) The rapid proliferation of 
these tools has made it easier for organizations to find the 
best tool to address their specific needs. 

Big-data analysis offers transparency that was not avail- 
able before. Making big data more easily accessible to rel- 
evant stakeholders in a timely manner can create tremendous 
value. For example, deep insights from raw contact-center 
data around what customers are calling about today can al- 
low marketing, sales, operations, product development, and 
finance to fine-tune and improve the productivity and per- 
formance of the product, service, and overall business. 


Challenges to Address 
As with any major opportunity, big data involves challenges 
that need to be addressed. Organizations looking to harness 
the power of big data need to understand the issues and 
lessons learned by the early adopters in this space. Here are 
some key points to consider: 

¢ Talent gap. There is a significant shortage of the ana- 
lytical and managerial talent necessary to make the most 
of big data. According to the McKinsey study mentioned 
above, the United States alone faces a shortage of 140,000 
to 190,000 people with deep analytical skills as well as 1.5 
million managers and analysts to analyze big data and make 
decisions based on their findings. (See Fig. 2.) This is one 
of the biggest challenges facing organizations that want to 
move toward data-driven decision making. Organizations 
that recognize this challenge should consider investing in 
educating the current talent and look at the possibility of 
partnering with an outsourced analysis service provider to 
bridge this gap. 

° Technologies and techniques. There are a 
number of technology decisions that are re- 
quired to support big-data analysis. When se- 
lecting the technologies, first consider going 
with what you already know, as long as it fits 
the requirements; most vendors, including Mi- 
crosoft, IBM, and Oracle, have solutions for 
big data. Beyond that, look for massively par- 
allel processing (MPP) platforms, column-store 
databases, in-database processing techniques, 
in-memory solutions, predictive analytics, and 
advanced visualization technologies when look- 
ing for the best combination of technologies to 
meet your big data analysis requirements. 
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eData security and privacy policies. Data ee ae 
security and privacy are critical considerations Ev 
when designing your solution. With big data, 7 5 
you will be looking at data being extracted from ae 
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multiple sources internal and external to your organization. 
Moreover, with data privacy concerns, particularly as they 
relate to consumer data, make sure that your policies and 
procedures are in place before embarking on big-data initia- 
tives. 

e Access to raw data. To enable greater insights and value 
from your initiative, you will very likely need to integrate data 
from external sources. Some of this data will need to be pur- 
chased from external entities, and gaining access to this third- 
party data is often not a straightforward process. Consider the 
options and requirements. Furthermore, this may be the first 
time you integrate some of your imternal data sources into 
the overall data structure. These will come with their own 
complexities of integration and performance. Both internal 
and external sources will need to be considered in order to 
develop optimal data aggregation and access design. 

e Speed versus scale. Balancing the speed of data access 
and process with the size and scalability of your storage 
and processing platforms is another vital area of consid- 
eration. Focus on starting with the questions that you are 
trying to answer through analysis, and extract only the 
data that’s required to answer those questions. A lot of 
companies have more data than they need. Despite the 
fact that storage and processing costs are coming down, 
wasting resources and unnecessarily increasing the com- 
plexity of your solution is pointless. 

¢ Data versus value. The process of capturing data has be- 
come so easy that organizations have gotten very good at 
collecting and storing it over the last 10 to 15 years. The 
problem that most of them are struggling with is figuring 
out how to extract value from all of this data. It’s more im- 
portant to spend some time figuring out what questions 
need to be answered to improve the business Jefore turning 
to the data required for the answer. 

Remember the three attributes of big data—volume, va- 
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Glossary: Common Terms Used in Big-Data Discussions 


Refers to options such as predictive analytics, data mining, and statistical analysis—a combination of analytic tools and tech- 
niques to use on your big-data sets. 


Advanced Analytics 


Complex Event 


Processing (CEP) lyzing their impact, and taking subsequent action. 


Used to process multiple events happening across all the layers of an organization, identifying the most meaningful events, ana- 


Hadoop Distributed File 
System (HDFS) 


Originally developed by Yahoo! as a clone of Google’s MapReduce infrastructure (but subsequently open-sourced), Hadoop takes 
care of running your code across a cluster of machines. It chunks up the input data, sends it to each machine, runs your code 

on each chunk, checks that the code ran and passes on the results, sorts data between the map and reduce stages, sends each 
chunk of the sorted data to the right machine, and writes debugging information on each job’s progress, among other things. 


In-Database Analytics 
application. 


Allows data processing to be conducted within the database by building analytic logic into the database itself. Doing so elimi- 
nates the time and effort required to transform data and move it back and forth between a database and a separate analytics 


In-Memory Database 


Can serve many purposes, but in business intelligence (BI), it usually supports real-time dashboards for operational BI and stores 
metrics, key performance indicators (KPIs), and sometimes OLAP cubes. The biggest benefit of an in-memory solution is the 
response rate and performance benefit that can be gained by eliminating disk input/output and other speed bumps. 


MapReduce 


A relatively new analytic option, MapReduce is an algorithm design pattern that originated in the functional programming world. It 
makes a distributed file system such as HDFS addressable through analytic logic. 


Massively Parallel 
Processing (MPP) 


Also known as a parallel database system, an MPP system runs on more than one machine, where each machine has its own 
disk storage. The database is physically located in several disk storage systems that are interconnected to each other. 


(Sometimes expanded to “not only SQL”) A broad class of database management systems that differs from the classic model of 


time updates. 


NoSQL DBMS the relational database management system (RDBMS) in some significant ways. These data stores may not require fixed table 
schemas, usually avoid join operations, and typically scale horizontally. 
A number of operational BI solutions utilize data in a real-time or near real-time basis. As more of these solutions move toward 
Real-Time true analytics as compared to reporting and dashboards, a number of the big data analysis solutions will need to support real- 


Unstructured Data 


Data from social media, call centers, and other natural-language data sources that needs access to text mining, audio mining, 
and text analysis engines to be converted to structured data for analysis. The resulting data can be applied to a host of ap- 
plications, including customer sentiment analysis, call reason analysis, and competitive intelligence applications. With big-data 
analysis, the need to harness the untapped value in unstructured data is very important. 


Visualization 
charts. 


Data visualization is one of the fastest growing areas of BI. Advanced data visualization (ADV) is the perfect complement to big- 
data analysis, as it can handle visualizations to represent thousands or millions of data points—unlike standard pie, bar, or line 


riety, and velocity. When deciding your big-data analysis so- 
lution, be sure you understand all of these attributes rather 
than focusing on just one of them. 

As with many technology initiatives, it pays to start 
small and learn as you go, rather than take a big-bang ap- 
proach. Remember that, given the improvements in tech- 
nology and the constant decrease in storage and process- 
ing costs, what you consider big data today may be small 
data tomorrow. Don’t overinvest in technology for tech- 
nology’s sake. Ensure that you clearly understand the value 
your organization needs from big-data analysis, because 
getting a high return on investment from your initiatives 
is critical to getting stakeholder and executive buy-in. 


Umesh Jain 1s the founder and president of Merging Elements, 
an advisory firm focused on customer management and IT 
strategy services. He has more than 15 years of experience in 
contact centers, CRM, analytics, and technology in a variety of 
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roles. He can be reached at umesh.jain@mergingelements.com. 


' “Big data: The next frontier for innovation, competition, 
and productivity,” McKinsey Global Institute, May 2011. 


* In a 2001 research report, “3D Data Management: Con- 
trolling Data Volume, Velocity and Variety,” and in related 
conference presentations, META Group (now Gartner) ana- 
lyst Doug Laney defined data growth challenges (and op- 
portunities) as being 3-D—increasing in volume (amount of 
data), velocity (speed of data in/out), and variety (range of 
data types, sources). Gartner continues to use this model for 
describing big data. 

3 IDC, “The 2011 Digital Universe Study,” June 2011. 

* Erik Brynjolfsson, Lorin M. Hitt, and Heekyung Hellen 
Kin, “Strength in Numbers: How does data-driven decision- 
making affect firm performance?” 
Publishing, April 2011. 
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Addressing the New Urgency of 


ENDPOINT SECURITY 


ately, thanks to improved technologies and com- 
pliance in perimeter security, many of us corpo- 
rate denizens of the Net, those who work behind 


enterprise firewalls, have not been severely hurt 


or otherwise inconvenienced by the exploits of cybercrimi- 


nals. Arguably, the last three to four years have been much 


quieter when it comes to email cyber-attacks. 


Unfortunately, that’s no indication 
that the digital world has suddenly be- 
come a safer place. Instead, the sad re- 
ality that confronts us is one in which 
the threats are increasingly more tar- 
geted and the criminals are becoming 
seasoned activists and professionals. 
As the criminals up the ante, their 
prime targets—the establishment and 
the enterprise—find new vulnerabili- 
ties exposed. 

The challenge of safeguarding 
against this latest breed of advanced at- 
tacks is further compounded as IT (in 
public and commercial sectors alike) 
tries to embrace emerging trends that 
are inherently weaker against attacks. 
Such trends, which in fact are business 


imperatives, range from the infrastruc- 
tural (as in wanting to be more virtual 
and more mobile) to the social (as in 
wanting to be more available on social 
networks). 

Cybercriminals are fully exploit- 
ing this situation and are unleashing 
a new wave of attacks by targeting a 
different layer of enterprise security: 
the endpoints, which, as it turns out, 
were where cyber-attacks first started 
back in the 1980s, mostly through 
break-ins and sneaking in “Trojan 
horses” as part of software releases 
on mini-computers and mainframes. 

Before we examine the nature of 
these new attacks and the way tech- 
nology and related cyber-security so- 


lutions are rising to the occasion, let 
us first gain an understanding of the 
vulnerabilities we just talked about. 

The Common Vulnerabilities and 
Exposures (CVE) system tracks pub- 
licly known information — security 
vulnerabilities and exposures. This 
reference database is maintained by 
MITRE Corp. with the endorsement 
and support of the National Cyber 
Security Division of the United States 
Department of Homeland Security. 
Other federal agencies that recom- 
mend and/or require the use of cy- 
ber-security products that use CVE 
identifiers are the National Institute 
of Standards and Technology (NIST) 
and the Defense Information Systems 
Agency (DISA). 

In 2010, a total of 4,651 vulner- 
abilities were identified in the CVE 
system. (See Fig. 1.) Endpoint oper- 
ating systems (OSs)/applications such 
as Windows, Internet Explorer (IE), 
Java, and Adobe were all hit by these 
vulnerabilities. 


Where Endpoint Security Fits In 
The CVE represents just one quanti- 
tative analysis that we can use to un- 


Unless enterprise security architecture addresses endpoint security 


comprehensively (i.e., taking into consideration things like virtualization, 


mobility, and social networking), cyber-security will remain elusive 
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Number of Worldwide Vulnerabilities 
in 2010 by Month 
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derstand and appreciate the persistent 
nature of this stealth activity. To get 
back to our broader discussion, let us 
first restate what endpoints are and the 
position that endpoint security occu- 
pies in the broader map of enterprise 
security architecture. 

In the strictest sense, endpoints are 
defined as network devices with an 
IP address and a port—in effect, any 
device that is formally attached to the 
corporate network. For the purposes of 
this discussion, however, endpoints are 
defined as servers, desktops, laptops, 
smart phones, embedded systems, and 
the like. 

Technically, endpoint security is just 
one of a handful of security layers, and 
seemingly an independent one at that 
(in the sense of “separation of con- 
cerns”). However, it is also a layer in 
which trust can be quickly eroded, and 
one that is difficult to keep tabs on. 

Take IBM’s security framework, for 
example. The layers in that framework 
include (from top to bottom): People 
and Identity; Data and Information; 
Application and Process; Network, 
Server, and Endpoint; and Physical In- 
frastructure. 

The People and Identity layer can 
have effective checks and balances built 
into it with identity and access control 
(and an accompanying audit log of 
who did what, when). Things can get 
very murky, however, when that layer 
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comes in contact with the Network, 
Server, and Endpoint layer under- 
neath. (See Fig. 2.) 

When people use and manage end- 
points, there can be a lot of room for 
contamination, whether willful or unin- 
tended—contamination that can never 
be tracked or accounted for. Surrepti- 
tious access to other enterprise assets, 
including systems and data through the 
many devices (laptops, desktops, smart 
phones, gaming consoles), servers (es- 
pecially public-facing Web servers), and 
related (high-speed and high-capacity) 
multimedia ports available on the new 
and emerging endpoints, leave enough 
room for criminals to conduct their ac- 
tivities expeditiously, and without ever 
leaving fingerprints. 

The April 2011 attack on Sony’s 
gaming networks, which reportedly in- 
volved the theft of millions of records of 
consumer data, is a great example of how 
clear and present (and yes, very enor- 
mous) the danger still is at this layer. 

These attacks were followed by at- 
tacks on Sony Online Entertainment 
and on Sony’s Greek website. Indeed, 
all of the biggest security breaches of 
2010 were attacks on endpoints. The 
details of these attacks are: 

© Aurora/Hydrag, in January 2010, 
was targeted at high-tech companies 
(such as Google, Yahoo!, and Rack- 
space) and defense contractors (such as 
Northrop Grumman). It exploited an 


TE loophole to deliver malware capable 
of modifying applications. 

¢ Stuxnet, in July 2010, was tar- 
geted at industrial software and pro- 
grammable logic controllers (PLCs) 
of Siemens control systems. It was 
Windows-based, and its many variants 
attacked uranium enrichment infra- 
structure in Iran. In a related devel- 
opment, Iran reported that it had un- 
covered a new espionage virus, called 
Stars, that is aimed at damaging its 
government institutions. 

e¢ WikiLeaks, in October and No- 
vember 2010, was targeted at U.S. 
defense and state departments. Ex- 
ploiting unprotected (downloading 
without encryption) peripherals (as 
described above), WikiLeaks managed 
to steal 400,000 classified documents 
and more than 2,000 sensitive cables. 
The leaks continued into April 2011 
with the publication of 779 docu- 
ments related to the Guantanamo Bay 
prison camp. 

e LizaMoon, in October 2010, 
was targeted at consumers and web- 
sites. Using SQL injection, it spread 
“scareware” and encouraged users to 
install rogue antivirus software. The 
attacks, according to McAfee, con- 
tinued into April 2011, and affected 
more than a million sites. 

A 2008 study conducted by the Eu- 
ropean Network and Information Se- 
curity Agency (ENISA) found that the 
most common infection methods used 
in the preceding years were browser ex- 
ploits (65 percent), email attachments 
(13 percent), OS exploits (11 percent), 
and downloads (9 percent). 

That confirms that the attackers 
are indeed becoming adept at by- 
passing the perimeter to aim at the 
endpoints. Their efforts are getting 
a boost from malware or crimeware 
toolkits such as FakeAV and Zeus 
(which help in building botnets, 
which can control computers remote- 
ly; and zero-day attacks—for known 
(to hackers, but so new that they are 
unknown to most developers) vulner- 
abilities that are still being fixed by 
the software vendor. 
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A Rogue’s Gallery of Endpoint Threats 

Let us now examine the full range of 
endpoint vulnerabilities, and some of 
the attack types that can target them. 


Attacks Related to Virtualization 
Inefficient and sub-optimal as they 
were, physical servers nevertheless of- 
fered a level of built-in security that was 
inherent in their segregation and dedi- 
cated functionality. They had their own 
unique access, security controls, and 
administration. Unless similar segmen- 
tations are implemented using virtual 
local-area networks (VLANs) with ap- 
propriate role-based policies to restrict 
unauthorized access to a VLAN, virtual 
data centers and cloud infrastructures 
will be vulnerable to attacks. 

Full-disk encryption on such mobile 
assets as laptops has been standard prac- 
tice for certain types of users, and it cov- 
ered OSs, program files, temp data, and 
user data. But virtual machines (VMs) 
can be much more mobile than such 
physical assets; they can be moved 
around at the click of a mouse to 
enable dynamic provisioning. Full- 
disk encryption must be applied to 
sensitive virtual images as well. In 
addition, moving to a policy-driv- 
en, data-centric encryption will 
ensure protection against copying 
through multimedia ports. 

VMs are only as safe and risk- 
free as the host. Limiting the 
host’s attack surface area (with 
fewer OSs and an optimal num- 
ber of general-purpose endpoint 
applications) will make them that 
much safer. 

Virtualization software itself 
could become a vulnerable area 
as attacks on endpoints get deep- 
er and more persistent. Regular 
patch management of the soft- 
ware is a basic defense measure 
against that threat. 


Attacks Related to Mobility 

The ever-increasing computing 
power, convenience of form fac- 
tor (made only more attractive by 
the new wave of tablets led by the 
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iPad), and perpetual connectivity that 
most mobile devices offer these days 
have contributed to a significant growth 
of mobile endpoints that the enterprise 
must now worry about. 

So it won’t be long before even- 
newer OSs, such as iOS and Android, 
are the focus of targeted attacks. They 
do come with built-in local/remote 
wipeout features, as well as 256-bit 
Advanced Encryption Standard (AES) 
encryption, but they can be very vulner- 
able to targeted attacks unless they are 
required to operate within the perim- 
eter. This can be done through virtual 
private networks (VPNs) and enterprise 
mobility server connections, or through 
corporate virtual desktop infrastructures 
(VDIs) in the case of tablet computers. 
The C-level clamor for tablets often 
sidesteps measures to have a formal mo- 
bile device management (MDM) sys- 
tem in place before allowing access to 
mobile enterprise assets. 

Local data sitting on mobile devices 


Layers Make Up the IBM 


Security Framework 


IBM Security Framework 


Security Governance, Risk Management 
and Compliance 
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Common Policy, Event Handling and Reporting 


Managed Hardware 
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is another significant area of vulnerabili- 
ty. With the abundance of native mobile 
apps, more and more mobile devices 
are storing data locally, thereby subject- 
ing them to the same security threats as 
standard desktops and laptops. 

Although some mobile OSs offer 
application “sandbox” capabilities that 
isolate an application and its data from 
other apps within the mobile device, 
not all apps are designed to take advan- 
tage of OS features. This situation is 
further exacerbated by the fragmenta- 
tion of mobile OSs in the market today. 
All of it leads to inconsistent security. 

An emerging and rapidly growing 
area in mobile apps is mobile commerce 
and payments. Banks and payment pro- 
cessors are already implementing solu- 
tions to make mobile devices into “vir- 
tual wallets,” leveraging OS support 
and mobile hardware innovations such 
as near-field communication technol- 
ogy in modern smart phones, such as 
Google’s Nexus S. These new features 
will also make it necessary for mo- 
bile devices to become compliant 
with, for example, the Payment 
Card Industry Data Security Stan- 
dard (PCI DSS), to protect credit 
cardholder’s personal data. 

Wi-Fi sniffing has become a 
new concern. Software such as 
“Firesheep” has exposed the vul- 
nerability of our Wi-Fi networks. 
In a typical coffee shop, which 
normally has a common, shared 
Wired Equivalent Privacy (WEP) 
password, an attacker running 
Firesheep can easily sniff out and 
decrypt the cookies of folks ac- 
cessing Facebook and other so- 
cial networks. 


Threats Related to Social 
Networking 

In social networking, the threats 
we need to worry about are server 
endpoints that now host customer 
data of some kind (as opposed to 
just marketing collateral and cata- 
logs) and are public-facing—and, 
in many cases, on public clouds, 
which are owned/managed by 
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the dominant social sites, such as Face- 
book and Twitter. So the concerns here 
would be about security of data and 
regulatory compliance issues related to 
the vertical industries involved. 
E-commerce sites have had many 


years of experience in safeguarding 
themselves against theft of credit card 
information by complying with the 
rather exhaustive PCI DSS. This stan- 
dard covers a broad range of topics 
related to security of data, network, 


and computers (endpoints) in a given 
industry. Similar regulatory standards 
include, but are not limited to: 

e The Health Insurance Portability 
and Accountability Act (HIPAA), for 
healthcare 


Buyers Guide: Security Applications & Services 


Company Focus Areas Product(s) Service(s) Company Focus Areas Product(s) Service(s) 
Actividentity Corp. AUTH, IDM, NS X X Parasoft APS, COM, SA, SECT X X 
Afilias WS X PreEmptive Solutions APS, EN X 
Application Security, Inc. COM, DBS, R, VA X Proofpoint, Inc. AV, COM, EN, ES, 
Arxan Technologies EN, IPD, MALP X X MSGS, NS x 
Aspect Security APS, COM X Protegrity Corp. APS, DBS, EN, IPD X X 
Axway EN, ES, IDM Xx Xx Quest Software AUTH, COM, DBS, 
Barracuda Networks ES, NS, WS X IDM, MSGS X X 
Beta Systems Software AG APS, AUTH, COM, IDM x Radware Ltd. APS, COM, IPD, MALP, 
Beyond Security NS, SECT, VA, WS x RESRETE il . 
BeyondTrust Software AUTH, COM, IDM X X See : 
RSA, the security division of EMC AUTH, COM, DBS, EN, 
BMC Software COM, IDM xX ES, IDM, WS X Xx 
Gatbyrd Menor CORES : SafeNet, Inc. AUTH, COM, DBS, EN, 
Centrify AUTH, COM, EN, IDM, VS x X NS, R, SOAS, WS X 
Check Point Software Techs AV, ES, IPD, MALP, MBS, Security Innovation APS, EN, R, SA, SECT, VA x 
Le ES s : SonicWALL ES, IPD, MALP, MBS, 
Cigital APS, R, SECT, VA Xx NS, VS x x 
Cisco Systems ES, MBS, NS, WS x X Sophos AV, COM, DBS, EN, ES, 
Crosscheck Networks COM, IDM, SECT, SOAS x IPD, MALP, WS X 
EdgeWave ES, WS Xx Sourcefire, Inc. COM, IPD, MALP, NS, 
Entrust AUTH, COM, DBS, EN, R,VS x x 
ES, IDM, WS Xx x SPAMfighter ES x 
F-Secure Corp. AV, MALP, MBS, WS x StillSecure COM, IPD, MALP, NS, 
F5 Networks APS, COM, DBS, NS, VA, VS x x 
R, WS X Symantec AUTH, AV, COM, ES, IDM, 
Fiberlink Communications Corp. AV, EN, IPD, MBS, VA x MSGS, R, VA, WS . 
Fidelis Security Systems COM, DBS, IDM x TECHNICS NE eee 
Gemalto NV AUTH, DBS, EN x x WEUAE i x 
GFI Software ES, VA, WS 5g Trend Micro is Pee IPD, MALP, 
Hewlett-Packard APS,SECT,VA,WS x x ee AITEECOM DSS EAVES . . 
HP Fortify APS, COM, R, VA x Xx IPD, SECT, VA, WS x x 
IBM ia rae tes oe ES, IDM, ; Veracode ee OSS, R, ' 
Imperva APS, COM, DBS, R, VMware, Inc. COM, VS x 
VA, WS X X : 
: WatchGuard Technologies AV,IPD,MALP,NS,WS x 
Integrigy Corp. COM, IPD, VA, WS X X Webroot AV.ES, IPD, MALBWS x 
SHINEEG GRO IES DMS x Websense, Inc. DBS, ES, IPD, MALP, 
Klocwork SA, VA X MSGS, ws Xx Xx 
Layer 7 Technologies COM, SOAS X 
Lieberman Software IDM, MALP X Key to Focus Areas MBS Mobile Security 
Lumension Security AV, COM, DBS, R, VA X x APS — Application Security MSGS Messaging Security 


McAfee, Inc. AV, COM, DBS, ES, IPD, MALP, i 
MBS, NS, R, VS, WS x x a eae 
F compliance 
Mictesoft AVIMATE s DBS _Data/Database Security 
NCC Group APS, DBS, NS, SECT, ES Email Security 
tants x EN Encryption 
Oracle APS, COM, DBS, IDM, IDM Identity Management 
R, VA, WS x X IPD Intrusion Prevention/Detection VS 
Palamida APS, COM, OSS X X MALP Malware Protection 
Panda Security AV, WS x X 
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e The Federal Information Secu- 
rity Management Act (FISMA), for the 
public sector 

e The Gramm-Leach-Bliley Act 
(GBL), for financial services. 

Corporate websites that connect to 
the social-networking sites (with the fa- 
mous “Follow us on” invitations and/ 
or “Like” buttons) should reconfirm 
their authenticity by complying with 
Extended Validation SSL (EV SSL). 
This will demonstrate a commitment 
to the security of customers, and it will 
combat phishing as well. 


Technology/Vendor Options 

and Solutions 

In an effort to offer comprehensive 
protection against emerging and tradi- 
tional endpoint threats, endpoint secu- 
rity products have evolved into suites 
offering the following set of features: 

e Anti-malware, which broadly in- 
cludes protection against malware, vi- 
ruses, and spyware 

e Endpoint firewalls, as a second 
level of defense behind the perimeter 

¢ Host Intrusion Prevention Sys- 
tems (HIPS), to prevent malicious at- 
tacks on servers and PCs 

¢ Centralized management 
patches, configuration, and reporting. 

Gartner’s 
is “Endpoint Protection Platforms 
(EPP),” and in its December 2010 
Magic Quadrant for EPP, the firm la- 
ments the fact that in 2010, malware 
effectiveness was on the rise in general, 
gaining an upper hand over recent en- 
hancements in EPP products. The firm 
shares a concern that most of today’s 
EPP vendors are working more on re- 
active signature-based detection tech- 
niques and less on attacking related root 
causes proactively. The Magic Quadrant 
of EPP vendors shows that Symantec, 
McAfee, Trend Micro, and Sophos lead 
the pack. 

The report that accompanied this 
Magic Quadrant presents a thorough 
evaluation of EPP products from across 
the industry using an exhaustive set of 
business, technical, and financial crite- 
ria, and it highlights the strong and cau- 


for 


term for these suites 
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tionary aspects of the products underworld — underscores = 
included in the analysis. the need of the hour and is n 

To build comprehensive : a call to action for greater i 
endpoint security solutions, f \ shared responsibility and a 
corporate IT groups and sys- accountability across the re] 
tem integrators (SIs) first have PCI DSS ap- ecosystem. This catch-up 4 
to conduct a broader business I is supposed to have taken K 
and IT security analysis (in- plies to any the EPP products market 
cluding business drivers and application to $3.96 billion in 2010, 
threats). This will help them that either resulting in a 30-plus per- 
plan, build, and sustain a strat- cent growth year over year. 
egy for endpoint security. The stores, pro- This growth speaks well of 
approach should be an integral the efforts made, but the 
part of a broader enterprise CESSES, OF effectiveness of endpoint 
cyber-security initiative and transmits security must go up as well 
unified threat management 1 in 2012. 

(UTM) solution. the primary EPP vendors should 

IBM - strongly recom- account certainly be analyzing root 
mends, in its Redpaper on the causes and _ developing 
IBM_ Security Framework,! number. remedies, but they should 
that companies adopt relevant aspects not be doing so in isolation. Collabora- 
of internationally accepted frameworks tion is needed to plan and execute an 
and best practices for IT governance. industry-wide, unified counter-attack 
Two such recommended frameworks on cybercrime. Yes, scanning, patch- 
are Control Objectives for Informa- ing, and personal firewalling through 
tion and related Technology (CO- EPP is fine, but the overall security of 
BIT) and International Organization — the stack on the endpoint cannot be an 
for Standardization 27002:2005 (ISO afterthought. 

27002:2005). Infrastructure vendors have to 

In addition, the vertical-industry adopt “secure by design” principles (an 
security compliance standards that we _ evolving discipline that is actively being 
listed earlier should be studied and promoted by IBM and Citrix, among 
strategically adopted. others) when they develop/enhance 

The resulting planning, building, platforms that constitute the surface 
and sustaining/strengthening activities area of attacks on endpoints. And cor- 
for endpoint security would involve: porate IT and the SI community must 

e Business goals and related threat do the same with the applications lay- 
modeling and analysis er, showing some leadership in defin- 

e Endpoint-security blueprint and ing and implementing comprehensive 
related total cost of ownership and re- UTM systems and policies. SVV 
turn-on-investment calculations a 

e Endpoint security use case analysis Sreedhar Kajeepeta is global VP and 

e Endpoint security architecture CTO of technology consulting for GBS at 
(with an eye to how it fits with the CSC. CSC’s consulting groups special- 
company’s overall enterprise security ize in cloud computing, SOA, enterprise 
architecture) and implementation transformation, data warehousing and 

e Ongoing vulnerability detection business intelligence/analytics, and ap- 
and patch management plication consulting (open source, JEE, 

e Audit and compliance enforcement and .NET). Kayjeepeta is based in Farm- 

e Reporting. ington Hills, Mich., and can be reached 

at skajeepeta@csc.com. 
Prognosis $$ 
Gartner’s concerns around EPP play- | www.redbooks.ibm.com/abstracts/ 
ing catch-up to the exploits of the cyber redp4528.html 
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Continued from p. 32 

thing you can do is tell the team how to 
solve their problems. The best thing to 
do is help them identify that they have 
problems and issues. You can help de- 
velop solutions for these issues, but it 
really has to be their resolution, because 
they have to own it and make it work. If 
they think it is your solution, they can 
blame you if it does not work. As the 
ES, you want the team to own the solu- 
tion. The only thing I can manage is my 
time; otherwise, I am micromanaging. 


Johnson: What is the difference be- 
tween being a coach and a manager? 
Coleman: Managing implies that you 
are telling somebody what to do: “You 
are going to stand at this place in this 
production line. You are then going to 
pick up the wrench, and when this part 
comes by you, turn the screw to the 
right until you see 4.4 pounds of pres- 
sure. You are then going to stop and 
wait for the next part to come down 
the belt.” If you have managed every- 
thing about that job, you have paid not 
one cent for the intelligence of the in- 
dividual. In the world we are in, you 
are hiring people for their knowledge 
and intelligibility. 


Johnson: Tell us about one of your early 
projects. 

Coleman: One of my first projects was 
the VisiOn project for VisiCorp. It was 
the first window system ever done for 
the PC in the early ’80s. Terry Opden- 
dyk was the president, and I was the 
director of product development. I was 
presenting the project plan to Terry, 
and he started to ask me the “what 
if’ questions. I began to think we 
didn’t have backup plans. These were 
the days of the waterfall development 
process, and by the time you learned 
you had the wrong approach, you were 
way down the development cycle. So, 
not only didn’t I understand if things 
would succeed, but I didn’t know how 
I was going to determine if things were 
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on the right track. I determined that 
we should build a core product and 
make sure it worked, and then scale 
out functionality in an iterative process. 


Johnson: What is your secret for getting 
things done? 

Coleman: Scott [McNealy] had just re- 
organized Sun from products into func- 
tions, and I ended up with all six soft- 
ware divisions. The Solaris project was a 
hallmark for me in what we actually had 
to do. Before then, software had report- 
ed to hardware, and we had six versions 
of the SunOS, one for every hardware 
type. Every engineer in the company 
thought they could make changes to 
the operating system without formal 
testing. Sun, like Google today, equated 
process with bureaucracy and wanted 
no part of it. My feeling is bureaucracy is 
the reaction when the organization does 
not know how to get things done. So 
my first task as owner of the new soft- 
ware division was to create the software 
development framework [SDF], which 
was really a group of processes, but we 
kept that a secret. 


Johnson: Give us an example of how 
you got things done. 

Coleman: SDF had to do two things: 
guarantee a new release every six 
months, and each release had to im- 
prove both functionality and quality. 
SDF was very simple; it separated all 
the releases into a “train.” Then we 
divided all the software groups into 
fewer than 10 people, including a mar- 
keting person and testers. The group 
had to own something that could be 
identified as to its competitive per- 
formance in the marketplace. So the 
team would own the product, and it 
was their responsibility to be the best 
in the market. A train would leave ev- 
ery six months, and no product could 
hold up the train. You could not get on 
the train unless you passed the quality 
and performance tests. No team want- 
ed to be left off the train, and no one 
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wanted to be responsible for their team 
not being on the train. It was all about 
individual and team accountability. 
Johnson: So individual ownership was 
a big part of the success of the project? 
Coleman: So we had these small groups, 
but they might be part of a bigger sub- 
system. The subsystem would also have 
to qualify to be on the train that left ev- 
ery six months. In order to manage this 
process, we did a software build every 
night and published the results online. 
Every engineer in the company could 
see if they were going to be part of the 
train or if they needed to do something 
to make sure they were on the train. 
If something was denied entry, it was 
flagged, and the group that owned it 
would have to make sure it was cor- 
rected or completed. 


Johnson: What are the responsibilities 
of an ES? 

Coleman: The leader of an organization 
only has three first-order responsibili- 
ties: the three Vs, hiring, and organiz- 
ing. The three Vs are the most impor- 
tant—vision, value, and valuable. The 
leader must establish a compelling vi- 
sion of why you are in business or why 
you are doing the project. The leader 
must prove why the project has differ- 
entiation. The leader must show how 
this differentiation has value to the cus- 
tomer. Then the leader must prove that 
the project is valuable to the organiza- 
tion and supports the vision. 


Johnson: How do you handle the com- 
munications problem? 

Coleman: If you develop a good process 
that is repeatable and measurable, it 
comes with a common language. It also 
comes with a set of metrics. Because you 
are so focused on having to deliver objec- 
tive results, it forces a common vocabu- 
lary. Part of that vocabulary is building 
transparency and accountability into the 
process. A common vocabulary provides 
objectivity so there can be no ambiguity 
in the results. SW 
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Q&A: How to Be a Good 
Executive Sponsor 


By Jim Johnson 


he single most important person in any project is the executive sponsor (ES). 


His or her actions and decisions have a huge impact on the success and de- 


livery of a project. However, Standish Group research shows that the ma- 


jority of executive sponsors have little or no formal training on how to be an ES. 


In fact, most organizations expect their 
ESs to get their training “on the job.” 
It is, therefore, the project manager as- 
signed to the project the ES is support- 
ing who supplies most of this education. 

There are a number of problems 
with this practice: reliance on the pro- 
ject manager, the project manager’s 
subordinate role, and differing views, 
approaches, and opinions about how 
to be a good ES. 

The Standish Group set out to discov- 
er, map, and assess the skills needed to be 
a good ES. Part of that quest included an 
interview with Bill Coleman, founder of 
BEA Systems and venture angel. 


Johnson: Tell us about one of the projects 
where you were an ES. 

Coleman: I was the ES for the Solaris 
project at Sun Microsystems. Solaris 
was a brand-new operating system and 
would change the whole company—it 
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would be the center of all Sun products 
in the future. We were under a man- 
date to build a brand-new operating 
system from scratch. Every line of code 
was to be written from the ground up. 
We used nothing from SunOS. The 
first thing I did was to select Steve 
Bourne as my program manager. The 
first thing Steve did was to ask me what 
the success criteria were. My number 
one success criterion was predictability. 


Johnson: What was the single most im- 
portant thing you learned from the So- 
laris project? 

Coleman: The Solaris project was the 
future of the company [Sun Microsys- 
tems]. Our plan called for the project to 
last two and a half years, ending in June 
1992. I wasn’t concerned about ship- 
ping on that exact date. What I was con- 
cerned about was that we put a program 
in place that was predictable, so that we 
would know when we would ship, what 
we would ship, and the state of what 
we shipped. We needed to know this 
because the entire company was bas- 
ing its plans around when and what 
we shipped. So if we got to six months 
before ship date and found we needed 
another year, that would sink the com- 
pany. However, ifa year before ship date 
we found we would have to make some 
tradeoffs with scheduling for function 
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or cost, then it would be in the com- 
pany’s control. Steve Bourne, program 
manager, and I would have a one-on- 
one meeting every week to go over the 
progress of the project. The number 
one thing that an executive sponsor can 
do is set the expectations and clearly 
state how the team is being measured. 


Johnson: What is your approach to 
being an ES? 

Coleman: An ES is a coach, not a 
manager. As coach, you want to be a 
sounding board to listen to the team’s 
issues and problems. The first thing the 
team needs to do is to write down their 
goals and objectives. So they take this 
huge, fuzzy problem and deconstruct 
it into manageable chunks. However, 
they always have to come back to the 
vision. The vision has to be from the 
top down, because you always have to 
come back to the reason you are doing 
the project in the first place. This starts 
from first principles—the most impor- 
tant goals. These principles then turn 
to metrics and measurables that turn 
into processes that can be predictive 
and quantified. 


Johnson: What is the worst and best thing 

you can do as an ES? 

Coleman: As project mentor, the worst 
Continued on p. 31 
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